A new data privacy regime adopted by the European Union will have consequences for companies around the world and will set a template for New Zealand’s current review.
The General Data Protection Regulation (GDPR) comes into force for all European Union countries in May 2018 and, for the first time, will provide people with legal rights to decide how their personal data is used. The European lawmakers have serious intent, with breaches potentially attracting fines of up to €20 million (NZ$30 million).
The implementation of the new regime will be watched closely by our Privacy Commissioner and the Department of Justice, which is leading a review of the Privacy Act. This is intended to identify reforms needed to keep New Zealand regulation up to speed with developments in data science and information technology, and new data-driven business models.
In a December update report to the Government, Privacy Commissioner John Edwards recommended fines of up to NZ$1 million for serious breaches of personal information (in line with Australia’s current maximum), introducing data portability as a consumer right, and a new power to require public or private sector organisations to be able to demonstrate compliance with the Act.
GDPR represents a major overhaul of the EU’s laws, and coming up to scratch will cost many companies a great deal of effort and expense. One key change is that customer consent for all data collection and use will need to be explicit; that is, companies will have to be able to demonstrate to regulators that each customer from whom they collect data has “ticked the box”.
In addition, the so-called “right to be forgotten” for which some consumer advocates have campaigned has been recognised in a more limited “right to erasure”. New “access” rights include the right of consumers to object to their data being used for marketing purposes, and the right not to be profiled.
The law covers all people involved in the collection, processing, management and storage of data, including agencies. Companies using third parties should look for ISO 27001 accreditation and confirm that their agency understands the privacy laws in their region.
Solution Dynamics is the only New Zealand company in the customer communications service provider market to be accredited, with products that have built-in features to make many of the compliance changes relatively painless for organisations.
The European GDPR rules are the “latest and best”, the fruit of many rounds of consultation and submissions. It is highly likely that most developed countries, including New Zealand during the current modernisation of data privacy legislation, will take the opportunity to harmonise with the EU. This will inevitably have a knock-on effect around the globe as multinational companies such as banks and insurers will need to comply, and ensure their business partners are also compliant.
The EU is New Zealand’s third largest trading partner and any New Zealand businesses operating in Europe or offering services to customers based in Europe will also need to comply with the new privacy legislation.
No matter whether they are operating in the EU or New Zealand, companies would do well to start work now to ensure they’re able to demonstrate valid consent for all forms of customer communication.
Chief Executive Officer